Stephane Chazelas discovered a vulnerability in bash, related to how environment variables are processed: trailing code in function definitions was executed, independent of the variable name.

This vulnerability in bash allows an adversary who can pass commands to bash to execute arbitrary code. As bash is a common shell for evaluating and executing commands from other programs, this vulnerability may affect many applications that evaluate user input, and call other applications via a shell, which impacts any system that uses a vulnerable bash.

It wasn’t long until the bug was patched. CloudFlare, “We got 95 percent of it done within 10 minutes,”.

Overview

GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution.

HTTP_COOKIE The visitor’s cookie, if one is set
HTTP_HOST The hostname of the page being attempted
HTTP_REFERER The URL of the page that called your program
HTTP_USER_AGENT The browser type of the visitor

Possible to exploit by code that passes through the Bash interpreter. CGI’s and CGI scripts are the most affected, but anything passed to the Bash is exploitable. Command execution can be achieved through HTTP Headers and POST/GET parameters.

A firewall is recommended to monitor the vulnerability in its headers and a signature will be added to the POST/GET field., that can monitor for attempts to bypass the detection signature via multiple white-space using ( ){ command and ( ) { command and ( ) {.